Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp314288lqo;
        Thu, 16 May 2024 07:10:49 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXmE7n9m+TJ5mxRqfRMVrbSjioduWge9TsSJKoT66BUT4FhjB+6ONffdCHQk6zTAirHMyjyhklw17LY8mGcCTx/7OULYvY5mLFeySiL2g==
X-Google-Smtp-Source: AGHT+IHZfAWitcUcYvKo2pezXix3aPlHn2AbufvXTRb6XdePAZpOEYx85OFv9pC0kI/TbaADfHqC
X-Received: by 2002:a50:aac7:0:b0:56b:fd17:3522 with SMTP id 4fb4d7f45d1cf-5734d5cf8cfmr12581620a12.14.1715868649274;
        Thu, 16 May 2024 07:10:49 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715868649; cv=pass;
        d=google.com; s=arc-20160816;
        b=CiLd1dk8K2INOAor7faCCtEBQ/X1DLNbeq8pAdUeMzk51gp9dqhUWro/7lyWJg8EdQ
         05ooYrKkDJL7q9Q8QhwWkxqLQwdie6XFULgniuds670ZKW/vYZj0JT2xhCNcR7eOU4gx
         kBF465Ca3exPudNQWW0xj+kLXwTvk07y4UhJzYcvd2Y2swnbZsSTDE/px8lDsTlQwHkg
         /G2L+6Ik0NWZSK/5vWdDm5v3bajzBx26Ez0qYvDIEeycoRz279ipQNfB7hUPYDCRR+LV
         GnT7N30O0UfpADEk6KrKhl3SpIIfa9kEvY3zbwODNDVrZVw4/YcHYQ7hpU2gggC2CMcT
         qEjQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=B+vHXanNosqR77yg+0PuvGZcIdU1FMsesPSXvdi9FrI=;
        fh=/pxreRtobrYO3keubUenmheIQyJgL7UlVGyGcuAmzfs=;
        b=bb5zG/l6hgACAP9xp9inqZKnEMOqSOmbQO0yiXuHBHkByD0W0xa17X4m07c/aSSmKT
         D7dkX/qPbekpySrVa2yrTUMGf7MgLxsGAfdcTVIXvj3FMTA38Rpmxc9ZeEp/veHCb1dD
         DeDQueV9BqZmsWMjpSRi22lOkQPBPDkrbbczqLGA7CtN3R5hLo/YqaCV5Yh/8IijQHGy
         sVhqTjDYv2N8XZ/AgEsiQEFyJ0XlL8n3yUR+0xoqp4F1qIfkrXlFyXBLthoEJ+8ormPC
         8KyJO55Kw3rUwrf9U/QDdtSy8PDoZxTX6NBNPfJ9cSi80FAsNkk4YsN/PBVai/idjeCo
         3I8A==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=aC79Bz1Y;
       arc=pass (i=1 dkim=pass dkdomain=infradead.org);
       spf=pass (google.com: domain of linux-kernel+bounces-181155-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181155-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-181155-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id 4fb4d7f45d1cf-574d027dc3bsi4409425a12.125.2024.05.16.07.10.49
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 May 2024 07:10:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-181155-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=aC79Bz1Y;
       arc=pass (i=1 dkim=pass dkdomain=infradead.org);
       spf=pass (google.com: domain of linux-kernel+bounces-181155-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181155-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 08FFC1F2184D
	for <linux.lists.archive@gmail.com>; Thu, 16 May 2024 14:10:49 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 011CB14D456;
	Thu, 16 May 2024 14:10:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="aC79Bz1Y"
Received: from casper.infradead.org (casper.infradead.org [90.155.50.34])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1083214A4E5;
	Thu, 16 May 2024 14:09:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=90.155.50.34
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715868600; cv=none; b=r7GSHkCoZZfD8R6elzOTl4HibbTAlRvG+PKPhShCvg1WSO+jNYdCGSLVzYTLRID0+jp7+c08uSfPLYCWmUomcv7mls2mcPI8kWtoecM5dfNr+g2t9lGoAiC+Vsx8F7g15yvrx4PoAXzS4fHafSu4y4xMUhCkgBQNb06/4McREPg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715868600; c=relaxed/simple;
	bh=NG33MsgUIuv6RqtlkvMV7YeulTRGpA4Wba/8OWH9Oj0=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=jltyx8w36Uc3NvV9FGHmxkLEjjfY9ieh8HRHjbt4wiUmcLkbzMsrhNSFPGEPugfirU47Pu3DGhQg3POEwemBgmkpHoSdfUFWrttVQFDrD4oNCw/cRb2Uc9Dp9SXIGhf89NWv6eegt7i3RzuuvMgAzgVLfISK30tjLhtw27djKgk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=aC79Bz1Y; arc=none smtp.client-ip=90.155.50.34
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version:
	References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
	Content-Transfer-Encoding:Content-ID:Content-Description;
	bh=B+vHXanNosqR77yg+0PuvGZcIdU1FMsesPSXvdi9FrI=; b=aC79Bz1YkTxxAYhSjCGt8o2StR
	VjxBfTagIHSwM2YuKqY6VBIIwokJxrXcWyB+hNoMWX31yNn3mWCQWbzr3DlfMISGjPv5omvc1pF+H
	bNUoQran6PzOZzioyDuXjEQaLN2btKjMKe6aoTCcnhcuqk2/ou0DrFcAwWm95gKtDLmFfYElUOsz2
	irk03/7fzlgi8sLrDcUVueg9FozjS7J2fHFc24GyngCNs6Ll8K2HmWeEn1RCNRcosq7RBmTY3QWJf
	4QC+G+lubu3Fr2odxsWsbOV6Gmdv8NcZo+UvyCA/rNBCVfOTHc+81r+0w9sAF/7ybvzq9y5GI8dRX
	rnnDUoSw==;
Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=noisy.programming.kicks-ass.net)
	by casper.infradead.org with esmtpsa (Exim 4.97.1 #2 (Red Hat Linux))
	id 1s7bns-0000000BrYV-0ziH;
	Thu, 16 May 2024 14:09:52 +0000
Received: by noisy.programming.kicks-ass.net (Postfix, from userid 1000)
	id BB3C530068B; Thu, 16 May 2024 16:09:51 +0200 (CEST)
Date: Thu, 16 May 2024 16:09:51 +0200
From: Peter Zijlstra <peterz@infradead.org>
To: Kees Cook <kees@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Kees Cook <keescook@chromium.org>,
	Justin Stitt <justinstitt@google.com>,
	Mark Rutland <mark.rutland@arm.com>,
	linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
	llvm@lists.linux.dev
Subject: Re: [RFC] Mitigating unexpected arithmetic overflow
Message-ID: <20240516140951.GK22557@noisy.programming.kicks-ass.net>
References: <202404291502.612E0A10@keescook>
 <CAHk-=wi5YPwWA8f5RAf_Hi8iL0NhGJeL6MN6UFWwRMY8L6UDvQ@mail.gmail.com>
 <202405081144.D5FCC44A@keescook>
 <CAHk-=wjeiGb1UxCy6Q8aif50C=wWDX9Pgp+WbZYrO72+B1f_QA@mail.gmail.com>
 <202405081354.B0A8194B3C@keescook>
 <CAHk-=wgoE5EkH+sQwi4KhRhCZizUxwZAnC=+9RbZcw7g6016LQ@mail.gmail.com>
 <20240515073636.GY40213@noisy.programming.kicks-ass.net>
 <25882715-FE44-44C0-BB9B-57F2E7D1F0F9@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <25882715-FE44-44C0-BB9B-57F2E7D1F0F9@kernel.org>

On Thu, May 16, 2024 at 06:30:32AM -0700, Kees Cook wrote:
> 
> 
> On May 15, 2024 12:36:36 AM PDT, Peter Zijlstra <peterz@infradead.org> wrote:
> >On Wed, May 08, 2024 at 04:47:25PM -0700, Linus Torvalds wrote:
> >> For example, the most common case of overflow we've ever had has very
> >> much been array indexing. Now, sometimes that has actually been actual
> >> undefined behavior, because it's been overflow in signed variables,
> >> and those are "easy" to find in the sense that you just say "no, can't
> >> do that". UBSAN finds them, and that's good.
> >
> >We build with -fno-strict-overflow, which implies -fwrapv, which removes
> >the UB from signed overflow by mandating 2s complement.
> 
> I am a broken record. :) This is _not_ about undefined behavior.

And yet you introduced CONFIG_UBSAN_SIGNED_WRAP... *UB*san, get it?

> This is about finding a way to make the intent of C authors
> unambiguous. That overflow wraps is well defined. It is not always
> _desired_. C has no way to distinguish between the two cases.

The current semantics are (and have been for years, decades at this
point) that everything wraps nicely and code has been assuming this. You
cannot just change this.

So what you do is do a proper language extension and add a type
qualifier that makes overflows trap and annotate all them cases where
people do not expect overflows (so that we can put the
__builtin_*_overflow() things where the sun don't shine).

And pretty please, also do a qualifier modification extension, because
that's totally painful already.